The borrower can receive the opening fee, profit_share and interest_share

[c4-bot-7]

Lines of code

https://github.com/code-423n4/2024-04-lavarage/blob/main/libs/smart-contracts/programs/lavarage/src/processor/swap.rs#L12 https://github.com/code-423n4/2024-04-lavarage/blob/main/libs/smart-contracts/programs/lavarage/src/processor/swapback.rs#L137

Vulnerability details

Impact

feeReceipient is not checked on borrow and repay. The borrower can pass any account, even their account so they receive the fee. (i.e. free borrowing). Also, profit_share and interest_share will be transffered to the borrower instead of the platform.

This applies on borrow for the openning fee and on repay for both profit_share and interest_share.

Proof of Concept

• On borrow, fee_receipient is unchecked

  #[account(mut)]
  pub fee_receipient: UncheckedAccount<'info>,

  borrow.rs#L26

• On repay, fee_receipient is unchecked too

  #[account(mut)]
  pub fee_receipient: UncheckedAccount<'info>,

  repay_sol.rs#L23

• On borrow and repay functions, there is no validation against the passed fee_receipient account.

Tools Used

Manual analysis

Recommended Mitigation Steps

Add a config account on the protocol level, this config will have fee_receipient to be set by the admin. Then, on borrow and repay, check the passed account if it matches against the one from the config.

Assessed type

Invalid Validation

[c4-judge]

alcueca marked the issue as duplicate of #18

[c4-judge]

alcueca marked the issue as satisfactory